US8032641B2 - Assymmetric traffic flow detection - Google Patents
Assymmetric traffic flow detection Download PDFInfo
- Publication number
- US8032641B2 US8032641B2 US12/433,443 US43344309A US8032641B2 US 8032641 B2 US8032641 B2 US 8032641B2 US 43344309 A US43344309 A US 43344309A US 8032641 B2 US8032641 B2 US 8032641B2
- Authority
- US
- United States
- Prior art keywords
- connection
- server
- proxy
- client
- initiating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related, expires
Links
- 238000001514 detection method Methods 0.000 title description 7
- 238000000034 method Methods 0.000 claims abstract description 35
- 230000000977 initiatory effect Effects 0.000 claims abstract description 23
- 239000000523 sample Substances 0.000 claims description 41
- 230000004044 response Effects 0.000 claims description 35
- 230000015654 memory Effects 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims 4
- 230000003111 delayed effect Effects 0.000 claims 2
- 230000008569 process Effects 0.000 abstract description 20
- 238000004891 communication Methods 0.000 description 11
- 238000012545 processing Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- VEMKTZHHVJILDY-UHFFFAOYSA-N resmethrin Chemical compound CC1(C)C(C=C(C)C)C1C(=O)OCC1=COC(CC=2C=CC=CC=2)=C1 VEMKTZHHVJILDY-UHFFFAOYSA-N 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
Definitions
- the present disclosure general relates to detection of asymmetric routing associated with traffic flows between remote hosts.
- one or more proxies can perform client Internet Protocol (IP) address spoofing (also known as reflect client-IP or RCIP).
- IP Internet Protocol
- a proxy can terminate a Transport Control Protocol (TCP) connection with a client and, masquerading as the client, open a TCP connection with a server.
- TCP Transport Control Protocol
- a known problem in such deployments is asymmetric routing, according to which the routed path for packets destined to the server may not be the same as the routed path for packets destined for the client or proxy.
- This condition can be relatively stable or dynamic and intermittent.
- the packets transmitted by the server such as a TCP SYN/ACK packet
- the client having no state information for the connection, attempts to terminate the TCP connection between the proxy and the server by transmitting connection-terminating packets.
- the client may transmit a TCP RESET packet.
- the proxy can detect the asymmetric routing condition when it receives the connection-terminating message (e.g., a TCP RESET) from the client.
- Network firewalls a commonly deployed device in many network architectures, can prevent the detection of asymmetric routing.
- many firewalls tend to filter or block packets—such as TCP SYN/ACK packets transmitted from the server, and the like—for which no connection state information exists and/or the connection state information indicates that a given packet is not expected.
- the operation of the firewall therefore, may prevent the proxy from detecting asymmetric routing because the packets transmitted by the server are blocked, preventing the client from transmitting a TCP RESET.
- many firewalls tend to filter or block packets—such as TCP RST packets transmitted from the client, and the like—for which no connection state information exists and/or the connection state information indicates that a given packet is not expected. The operation of the firewall, therefore, may prevent the proxy from detecting asymmetric routing because the packets transmitted by the client are blocked.
- the present invention provides methods, apparatuses and systems directed to detecting, and in some embodiments responding to, asymmetric routing in network deployments.
- a first process detects asymmetric routing at connection initiation, while the second process can detect asymmetric routing that may after connection initiation.
- FIGS. 1A , 1 B and 1 C are schematic diagrams of computer network environments, in which particular embodiments of the present invention may operate.
- FIG. 2 is a functional block diagram illustrating an example network device hardware system architecture.
- FIG. 3 is a block diagram illustrating functional modules of a proxy according to one possible embodiment of the invention.
- FIG. 4 is a schematic diagram illustrating connection splitting among a client, proxy and a server.
- FIG. 5 is a flow chart illustrating an example method that can be implemented in connection with a proxy to detect asymmetric routing.
- FIG. 6 is a flow chart illustrating another example method that can be implemented in connection with a proxy to detect asymmetric routing.
- FIG. 1A is a schematic representation of a network deployment, in which particular embodiments of the present invention have application.
- the computer network environment may comprise one or more servers 20 , one or more proxies 30 , one or more firewalls 39 , and one or more clients 60 .
- a client 60 is connected to a network 50 a , such as a Local Area Network (LAN), which itself is operably connected to intranet 49 a .
- server 60 is operably connected to LAN 50 b , which is operably connected to Internet 49 b .
- LAN Local Area Network
- Network traffic between client 60 and server 20 may be routed over one or more network paths, where at least one network path includes network path segment 99 a and at least another network path includes network path segment 99 b .
- network path segment 99 a includes a proxy 30 and firewalls 39 a and 39 c
- network path segment 99 b includes firewall 39 b . Additional firewalls may be disposed at other points in the communications path between proxy 30 and client 60 , as well as between proxy 30 and server 60 .
- FIGS. 1B and 1C illustrate alternative example computer network environments in which implementations of the present invention have application.
- Routers 40 , 42 , 44 and 46 and networks 50 a , 50 b , 50 c interconnect server(s) 20 , proxy(ies) 30 , client(s) 60 and other hosts operably connected to network 49 .
- Networks 50 a , 50 b , 50 c may comprise Local Area Networks (LANs) implemented by one or more switches, hubs, bridges, wireless access points, and/or other network devices.
- LANs Local Area Networks
- networks 50 a , 50 b , 50 c are Ethernet (IEEE 802.3) networks; however, other link layer protocols can be employed.
- Servers 20 host one or more network applications, such as a web site or an enterprise business application, accessible to one or more clients 60 .
- Servers 20 may include HTTP server, file server, media server, streaming media server and/or other functional modules to deliver network applications over the computer network environment.
- Servers 20 may establish HyperText Transport Protocol (HTTP) and/or TCP connections directly with clients 60 and/or with proxies 30 that proxy transactions between servers 20 and clients 60 .
- Clients 60 are computing systems, such as desktop computers, laptop computers, and mobile devices that host client applications that access servers 20 and other hosts operably connected to the computer network environment.
- a proxy 30 is an intermediate system that is functionally situated between a client 60 and a server 20 of a transaction.
- proxies can act as a web cache to reduce information access latency and bandwidth consumption.
- proxies can provide many other types of services including user authentication, connection acceleration, redirection, request and response filtering, access logging, translation and transcoding, virus scanning and spyware removal.
- a proxy 30 can accelerate SSL connections by offloading computation intensive cryptographic operations to built-in crypto hardware; a proxy can translate web page content from one language into another before presenting the information to the user; a proxy can perform compression and decompression over slow or cost sensitive links. Proxies can also act as provisioned service access points to traverse firewalls.
- An intelligent information security proxy is a complex network appliance that is comprised of both hardware and software, which facilitates the construction of intelligent and fine-grained policy rules, and is the enforcer of those policies.
- Proxies 30 are network proxies, such as forward (gateway) proxy caches or reverse proxy caches, that operate explicitly or transparently to clients 60 .
- Proxies 30 are operative to terminate connections on the application and/or transport layer with clients 60 , and establish application and/or transport layer connections with servers 20 .
- Proxies 30 can apply one or more policies—such as security policies, caching policies and the like—when intermediating connections between servers 20 and clients 60 .
- proxies 30 implement a redirection protocol to negotiate and establish one or more service groups with router 40 . Definition of the Service Groups allows proxies 30 to act as proxy caches for one or more servers 20 , as discussed below. Alternative embodiments are also possible.
- the proxies may be transparent proxies, such as proxy 30 a , disposed between network 50 b and router 40 to obviate the need for redirection mechanisms.
- Routers 40 , 42 , 44 , 46 are network devices that route packets according to information at Layer 3 (or Network Layer) of the Open Systems Interconnection (OSI) Reference Model. Routers 40 , 42 , 44 , 46 can be IPv4-capable, IPv6 capable or implement dual stacks capable of supporting both IPv6 and IPv4 routing functions. In the implementation shown in FIG. 1B , router 40 can be configured to redirect network traffic to one of the proxies 30 to allow the proxies to intermediate transactions between clients 60 and servers 20 .
- OSI Open Systems Interconnection
- router 40 can implement a cache communication protocol, such as the Web Cache Communications Protocol (WCCP) specified by Internet Draft “Web Cache Communication Protocol V2.0,” ⁇ http://tools.ietf.org/id/draft-wilson-wrec-wccp-v2-01.txt ⁇ , which is incorporated by reference herein.
- WCCP Web Cache Communications Protocol
- router 40 is operative to negotiate and configure one or more WCCP Service Groups with one or more proxies 30 .
- Each Service Group identifies the attributes defining the packets (e.g., IP addresses, TCP port numbers, etc.) that router 40 should redirect to one of the proxies 30 in the Service Group.
- IP addresses e.g., IP addresses, TCP port numbers, etc.
- proxies 30 and router 40 are in the same broadcast or Layer 2 domain. In other embodiments, proxies 30 and router 40 may be in different broadcast or Layer 2 domains. Still further, as discussed below, embodiments of the invention can operate in a wide variety of network configurations and topologies. As FIG. 1C illustrates, for example, proxies 30 may be physically connected to one or more access links or other strategic locations in a network to obviate the need for redirection mechanisms.
- Proxy applications such as web caches and network security or firewall devices—typically operate at Layer 7 of the OSI Reference Model; however, as part of such functionality, these proxies may also implement lower layer protocols, such as the TCP/IP protocol suite.
- FIG. 3 sets forth an example functional architecture for proxy 30 according to one possible implementation of the invention.
- Proxy 30 hosts one or more application proxies 502 .
- Application proxy 502 is a module that proxies application-level transactions between clients 60 and servers 20 .
- application proxy 502 emulates an application server to clients 60 and emulates a client to application servers 20 .
- Application proxy 502 can be configured to proxy a variety of different applications, such as Domain Name System (DNS) applications, Secure Sockets Layer (SSL) applications, HyperText Transport Protocol (HTTP) applications, File Transfer Protocol (FTP) applications, Multimedia Messaging Service (MMS) applications, Instant Messaging (IM) applications, and the like.
- DNS Domain Name System
- SSL Secure Sockets Layer
- HTTP HyperText Transport Protocol
- FTP File Transfer Protocol
- MMS Multimedia Messaging Service
- IM Instant Messaging
- User interface module 506 includes functionality that supports interface configuration and workflows according to which a network administrator may configure proxy 30 .
- Socket layer 508 provides a software endpoint for two-way communications between two application programs across a network.
- a given socket instance is typically bound to a port number so that a transport layer, such as Transmission Control Protocol (TCP) layer 510 , can identify the application, to which that data is destined to be sent.
- TCP Transmission Control Protocol
- an application proxy 502 such as a HTTP proxy, has a socket that is bound to a specific port number. The application proxy 502 listens to the socket for requests transmitted by clients.
- socket layer 508 also supports client-side functions, which application proxy(ies) 502 utilize to initiate connections with application servers 60 on behalf of clients 20 .
- Socket layer 508 may includes an IPv4 socket module (not shown), which supports connections with IPv4 resources, and an IPv6 socket module (not shown), which supports connections with IPv6 resources.
- Transmission Control Protocol (TCP) layer 510 implements transport layer functions, such as connection establishment, end-to-end flow control, and reliable delivery. As discussed below, TCP layer 510 can also implement some or all of the asymmetric routing detection operations described below.
- Proxy 30 may include additional transport layers, such as the User Datagram Protocol (UDP), as needed to support various network applications.
- IP layer 512 is a software module that implements IPv4 and/or IPv6 network layer protocol functions. Not illustrated, for purposes of clarity, are additional lower layers, such as link and physical layers of proxy 30 .
- a client-server transaction such as an HTTP transaction
- a client 60 When a client 60 initiates an HTTP session with a server 60 , it generally initiates a transport layer connection, such as a TCP connection, by transmitting a TCP SYN packet to initiate the three-way handshake, the conclusion of which establishes a TCP connection.
- a transport layer connection such as a TCP connection
- proxy 30 When proxy 30 intercepts a connection-initiating message from a client 60 , such as a TCP SYN packet, the proxy 30 establishes or terminates the connection with the client 60 (here, client-proxy connection 71 ) and establishes a new transport layer connection 72 with server 60 directly, spoofing both the client and the server on the respective connections. Proxy 30 maintains a mapping between connection 71 and connection 72 to forward data between the client 60 and server 20 . Generally speaking, each of the connections 71 , 72 can be identified by a unique tuple including the client IP address, client port number, server IP address, server port number and a protocol identifier.
- the client port numbers, as well as various state information (sequence numbers, and the like), will be different between the two connections 71 , 72 .
- an asymmetric routing condition may cause packets transmitted from server 20 to evade proxy 30 and be transmitted directly to client 60 , or vice versa.
- packets sourced from client 60 may traverse network path segment 99 a
- packets sourced from server 20 on the same TCP connection may traverse network path segment 99 b .
- client 60 initiates a TCP connection by transmitting a TCP SYN packet, which proxy 30 intercepts.
- Proxy 30 transmits a TCP SYN packet, spoofing client 60 , over network path segment 99 a .
- server 20 In response to a TCP SYN packet, server 20 generates and transmits a TCP SYN/ACK packet. If an asymmetric routing condition exists, then this packet may traverse network path segment 99 b .
- Firewall 39 b may filter this packet because it did not see the initial TCP SYN packet and therefore has no state information for the TCP connection. Operation of firewall 39 b , therefore, may prevent proxy 30 from detecting asymmetric routing with respect to the proxy-server connection 72 .
- firewall 39 a may filter the TCP RESET packet that client 60 would transmit in response to the SYN/ACK packet.
- a first process detects asymmetric routing at connection initiation, while the second process can detect asymmetric routing that may occur after connection initiation.
- FIG. 5 illustrates a process flow for detecting asymmetric routing at initiation of a connection.
- the processes described herein may be implemented when client 60 attempts to open a connection with a server 60 .
- client 60 transmits a connection-initiating message, such as a TCP SYN packet, which proxy 30 receives ( 302 ).
- Proxy 30 accesses a bypass table to determine whether a tuple comprising the client IP address and server IP address identified in the connection-initiating message has been added ( 303 ). If the bypass table contains a matching entry, proxy 30 forwards the connection-initiating message along the network and does not proxy the connection ( 304 ).
- an entry in the bypass table containing a tuple of the client IP address and server IP address may be added when an asymmetric routing condition is detected.
- a separate process may periodically scan the bypass table to collapse multiple entries that identify the same server IP address into one entry. To collapse these entries, the client IP address of the tuple is changed to a wildcard that matches all client IP addresses.
- Other implementations are also possible, such as applying a subnet mask to one or more of the client and server IP addresses in the entries.
- proxy initiates a proxy connection 72 to the server 20 by transmitting a connection-initiating message (e.g., TCP SYN packet) ( 305 ) and monitors for a response from the server 20 ( 306 ). If proxy 30 receives a response to the connection-initiating message (such as a TCP SYN/ACK packet) ( 308 ), the TCP layer 510 of proxy 30 can complete the connection handshake by acknowledging the response message. The TCP layer 510 can also handle other response types transmitted by the server 20 as well. In general, the TCP layer 510 will return information to the higher layer processes of proxy 30 indicating a successful connection or an error ( 330 ).
- a connection-initiating message e.g., TCP SYN packet
- the TCP layer 510 of proxy 30 can complete the connection handshake by acknowledging the response message.
- the TCP layer 510 can also handle other response types transmitted by the server 20 as well. In general, the TCP layer 510 will return information to the higher
- Application proxy 502 can then communicate this information to client 60 by completing the client-proxy connection or returning an error as appropriate. Whether a connection is successfully established or not is handled by normal TCP layer processes. On the other hand, the failure to receive a responsive message at all may be indicative of asymmetric routing.
- a TCP layer implementation transmits a TCP SYN packet and retransmits the TCP SYN packet a number of times if a response to the previously transmitted TCP SYN packet times out.
- proxy 30 may initiate a probe connection to the server 60 ( 310 , 312 ).
- the proxy 30 initiates a probe connection after the period of waiting for responses to two TCP SYN packets (one of which is retransmitted) have timed out.
- the proxy performing the probe is capable of a variety of alternatives and is the subject of a variety of engineering and design considerations.
- the probe connection may be initiated concurrently with the proxy-server connection or after a fewer or greater number of TCP SYN packets have timed out on the proxy-server connection.
- the probe connection may be initiated after N number of re-transmitted connection initiation messages, where N can equal 1 to X (where X is the total number of re-transmitted connection initiation messages until the proxy connection process times out and returns an error to a higher layer process.
- a delay between the proxy-server connection and the probe connection is preferred for efficiency reasons in order to allow the proxy-server connection to be established successfully without having to initiate the probe connection.
- Factors that may be considered are the time intervals between retransmits of the TCP SYN packets, the time interval until the TCP connection times out, the desired user experience, and the like.
- proxy 30 uses its own IP address when establishing the probe connection. In other words, even if asymmetric routing is present in the network, and if the server is online, the server response to the probe connection initiation message will reach proxy 30 .
- the proxy 30 establishes a TCP connection, transmitting a TCP SYN packet having a source address identifying the proxy 30 and a destination address identifying the server 20 .
- the TCP layer 510 may transmit multiple connection messages and time out the entire connection if no response to any of the connections messages is received. As FIG.
- TCP layer 510 illustrates, after proxy initiates a probe connection ( 312 ), it waits for a response to either or both of the proxy-server connection 72 and the probe connection ( 314 , 316 ).
- the result returned by TCP layer 510 in this instance, depends on the events that occur on either or both of the proxy-server connection or the probe connection and, in some implementations, on the timing between initiations of the proxy-server connection and the probe connection.
- proxy-server connection 72 and the probe connection time out proxy 30 assumes that server 20 is offline and returns a timeout error on the client-proxy connection 71 . If proxy 30 receives a TCP RESET from client 20 that corresponds to the proxy-server connection 72 (meaning that firewall 39 b did not filter the TCP SYN/ACK sourced from server 20 ), proxy 30 identifies an asymmetric routing condition, adds the client/server IP address tuple to the bypass table and transmits a message, such as a redirection message (e.g., HTTP 302 message), to the client 60 that causes it to re-establish a connection to server 20 .
- a redirection message e.g., HTTP 302 message
- proxy 30 completes the connection handshake and terminates the probe connection regardless of whether a response from the server 20 on the probe connection is received. If a response is received from server 20 on the probe connection and the proxy-server connection times out, proxy 30 also assumes an asymmetric routing condition adds the client/server IP address tuple to the bypass table and transmits a redirection message (e.g., HTTP 302 message) to the client 60 . In other implementations, if the delay between initiation of the probe connection and the proxy-server connection 72 is great enough, proxy 30 need not wait until the proxy-server connection 72 times out to identify an asymmetric routing condition. In some implementations, it may also be desirable to delay the probe connection relative to the proxy-server connection 72 , but also modify the TCP layer implementation for the probe connection such that both the probe connection and proxy-server connection 72 time out at approximately the same instant.
- connectivity to the server 20 can be verified and asymmetric routing conditions detected in network environments where packets, such as a TCP SYN/ACK packet, transmitted from server 20 traverse a different network path (e.g., network path segment 99 b in the example illustrated above) and are filtered by a network device (such as firewall 39 b ).
- packets such as a TCP SYN/ACK packet
- asymmetric routing conditions detected in network environments where packets, such as a TCP RST packet, transmitted from client 60 traverse a network path (e.g., network path segment 99 a in the example illustrated above) and are filtered by a network device (such as firewall 39 a ).
- asymmetric routing conditions may be relatively static, dynamic or unstable asymmetric routing conditions may also occur in the middle of active connections.
- Asymmetric routing can also occur after a TCP or other connection has been successfully established. For example, asymmetric routing can occur during an active exchange of packets on proxy-server connection 72 , perhaps due to either router errors or changes or temporary instabilities in the routing infrastructure. As the result of asymmetric routing, packets on the proxy-server connection 72 transmitted from the server 20 may be routed directly to client 60 bypassing proxy 30 . For example and with reference to FIG. 1B , even in the case where packets transmitted by server 20 on proxy-server connection 72 traverse the same network path as packets transmitted from proxy 30 to server 20 , an overload condition at router 40 (implementing WCCP redirection), for example, may cause the packets to leak directly to client 60 as opposed to being redirected to proxy 30 . Client 60 responds by transmitting TCP RESET packets.
- a first scenario if the client-to-server TCP RESET packet reaches the server 20 directly (bypassing proxy 30 ), then the server 20 will terminate the proxy-server connection 72 . In this case, the very next TCP packet sent from proxy 30 to server 20 will trigger server 20 to respond with a TCP RESET packet. This TCP RESET packet may again be asymmetrically routed to the client 20 , which simply drops the invalid TCP RESET packet transmitted from the server. This condition will persist until the proxy 30 exhausts its retransmission attempts and subsequently terminates the proxy-server connection 72 . In a second scenario, the client-to-server TCP RESET packet reaches the proxy 30 .
- Proxy 30 if configured according to prior art, will forward this TCP RESET packet to server 20 because this TCP RESET packet appears to be originated from the proxy itself and it is assumed that certain routing configurations may cause proxy 30 to receive a packet that it actually transmitted. Accordingly, proxy 30 accesses connection state information to determine whether it has indeed transmitted a TCP RESET packet.
- FIG. 6 sets forth an example process for detecting asymmetric routing during an active connection.
- proxy 30 receives a TCP RESET packet corresponding to proxy-server connection 72 and apparently sourced from client 60 ( 402 )
- proxy 30 determines whether the TCP RESET packet is valid ( 404 ).
- Proxy 30 can verify the TCP RESET packet by accessing connection state information it maintains for TCP and other connections to determine whether it has indeed transmitted a TCP RESET packet on the proxy-server connection 72 . If the TCP RESET packet is valid, proxy 30 forwards the TCP RESET packet ( 404 ). Otherwise, if the TCP RESET packet is invalid, proxy 30 drops the TCP RESET packet ( 408 ).
- proxy 30 Since the asymmetric routing condition may persist, the connection request (SYN, SYN/ACK) detection process discussed above will install the client/server IP address tuple into the bypass list. As FIG. 6 shows, if the client/server IP address tuple is contained on the bypass table ( 410 ), proxy 30 terminates the open proxy-server connection 72 and transmits an error message to the client 60 on the client-proxy connection 71 , causing it to retry and establish connections directly with server 20 ( 412 ). In an alternative embodiment, proxy 30 may terminate all open proxy-server connections corresponding to the client and the server.
- asymmetric routing condition is temporary, then the proxy-server connection 72 is not affected by the client-triggered TCP RESET packet. This may yield significant performance improvements, especially when misbehaving, unstable routers exist in the network, because the proxy 30 maintains the proxy-server connection 72 instead of tearing the connection down in response to only a temporary asymmetric routing condition. As discussed above, more stable asymmetric routing conditions will be detected and mitigated as new connections between client 60 and server 20 are established.
- Some or all of the processes and operations set forth above can be implemented as extensions to a transport layer implementation, such as a TCP layer module.
- a transport layer implementation such as a TCP layer module.
- the TCP layer may initially attempt to open a proxy-server connection and, subsequently, initiate a probe connection to the server if a response to the initial TCP SYNs transmitted to the server on the proxy-server connection is not received.
- the second process can be similarly implemented as an extension to a TCP or other transport layer connection module.
- FIG. 2 illustrates an example computing system architecture, which may be used to implement a physical proxy or cache server.
- hardware system 200 comprises a processor 202 , a cache memory 204 , and one or more executable modules and drivers, stored on a computer readable medium, directed to the functions described herein.
- hardware system 200 includes a high performance input/output (I/O) bus 206 and a standard I/O bus 208 .
- I/O input/output
- a host bridge 210 couples processor 202 to high performance I/O bus 206
- I/O bus bridge 212 couples the two buses 206 and 208 to each other.
- a system memory 214 and one or more network/communication interfaces 216 couple to bus 206 .
- Hardware system 200 may further include video memory (not shown) and a display device coupled to the video memory. Mass storage 218 , and I/O ports 220 couple to bus 208 . Hardware system 200 may optionally include a keyboard and pointing device, and a display device (not shown) coupled to bus 208 . Collectively, these elements are intended to represent a broad category of computer hardware systems, including but not limited to general purpose computer systems based on the x86-compatible processors manufactured by Intel Corporation of Santa Clara, Calif., and the x86-compatible processors manufactured by Advanced Micro Devices (AMD), Inc., of Sunnyvale, Calif., as well as any other suitable processor.
- AMD Advanced Micro Devices
- network interface 216 provides communication between hardware system 200 and any of a wide range of networks, such as an Ethernet (e.g., IEEE 802.3) network, etc.
- Mass storage 218 provides permanent storage for the data and programming instructions to perform the above-described functions implemented in the cache or proxy 30
- system memory 214 e.g., DRAM
- I/O ports 220 are one or more serial and/or parallel communication ports that provide communication between additional peripheral devices, which may be coupled to hardware system 200 .
- Hardware system 200 may include a variety of system architectures; and various components of hardware system 200 may be rearranged.
- cache 204 may be on-chip with processor 202 .
- cache 204 and processor 202 may be packed together as a “processor module,” with processor 202 being referred to as the “processor core.”
- certain embodiments of the present invention may not require nor include all of the above components.
- the peripheral devices shown coupled to standard I/O bus 208 may couple to high performance I/O bus 206 .
- only a single bus may exist, with the components of hardware system 200 being coupled to the single bus.
- hardware system 200 may include additional components, such as additional processors, storage devices, or memories.
- the operations of one or more of the proxy or cache servers described herein are implemented as a series of executable modules run by hardware system 200 .
- a set of software modules or drivers implements a network communications protocol stack, including a link layer driver, a network layer driver, one or more transport layer modules (e.g., TCP, UDP, etc.), session layer modules, application layer modules and the like.
- the hardware system 200 may also host a proxy-router intercommunication module, such as a WCCP module, that negotiates associations with one or more routers for redirection of network traffic.
- the foregoing functional modules may be realized by hardware, executable modules stored on a computer readable medium, or a combination of both.
- the functional modules may comprise a plurality or series of instructions to be executed by a processor in a hardware system, such as processor 202 .
- the series of instructions may be stored on a storage device, such as mass storage 218 .
- the series of instructions can be stored on any suitable storage medium, such as a diskette, CD-ROM, ROM, EEPROM, etc.
- the series of instructions need not be stored locally, and could be received from a remote storage device, such as a server on a network, via network/communication interface 216 .
- the instructions are copied from the storage device, such as mass storage 218 , into memory 214 and then accessed and executed by processor 202 .
- An operating system manages and controls the operation of hardware system 200 , including the input and output of data to and from software applications (not shown).
- the operating system provides an interface between the software applications being executed on the system and the hardware components of the system.
- Any suitable operating system may be used, such as the Windows Operating System offered by Microsoft Corporation, the Apple Macintosh Operating System, available from Apple Computer Inc. of Cupertino, Calif., UNIX operating systems, LINUX operating systems, BSD operating systems, and the like.
- the proxy and caching functionalities described herein may be implemented in firmware or on an application specific integrated circuit.
- the above-described elements and operations can be comprised of instructions that are stored on storage media.
- the instructions can be retrieved and executed by a processing system.
- Some examples of instructions are software, program code, and firmware.
- Some examples of storage media are memory devices, tape, disks, integrated circuits, and servers.
- the instructions are operational when executed by the processing system to direct the processing system to operate in accord with the invention.
- processing system refers to a single processing device or a group of inter-operational processing devices. Some examples of processing devices are integrated circuits and logic circuitry. Those skilled in the art are familiar with instructions, computers, and storage media.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (18)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/433,443 US8032641B2 (en) | 2009-04-30 | 2009-04-30 | Assymmetric traffic flow detection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/433,443 US8032641B2 (en) | 2009-04-30 | 2009-04-30 | Assymmetric traffic flow detection |
Publications (2)
Publication Number | Publication Date |
---|---|
US20100281168A1 US20100281168A1 (en) | 2010-11-04 |
US8032641B2 true US8032641B2 (en) | 2011-10-04 |
Family
ID=43031228
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/433,443 Expired - Fee Related US8032641B2 (en) | 2009-04-30 | 2009-04-30 | Assymmetric traffic flow detection |
Country Status (1)
Country | Link |
---|---|
US (1) | US8032641B2 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060248194A1 (en) * | 2005-03-18 | 2006-11-02 | Riverbed Technology, Inc. | Connection forwarding |
US20110161653A1 (en) * | 2009-12-24 | 2011-06-30 | Keohane Susann M | Logical Partition Media Access Control Impostor Detector |
US20130290544A1 (en) * | 2011-06-15 | 2013-10-31 | Juniper Networks, Inc. | Routing proxy for resource requests and resources |
US9571566B2 (en) | 2011-06-15 | 2017-02-14 | Juniper Networks, Inc. | Terminating connections and selecting target source devices for resource requests |
US10009364B2 (en) | 2016-03-25 | 2018-06-26 | Cisco Technology, Inc. | Gathering flow characteristics for anomaly detection systems in presence of asymmetrical routing |
US10757121B2 (en) | 2016-03-25 | 2020-08-25 | Cisco Technology, Inc. | Distributed anomaly detection management |
US11223567B2 (en) | 2019-01-18 | 2022-01-11 | Cisco Technology, Inc. | Transmission control protocol session mobility |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110078313A1 (en) * | 2009-09-30 | 2011-03-31 | St-Ericsson Sa | Method and system for managing a connection in a connection oriented in-order delivery environment |
US20110078255A1 (en) * | 2009-09-30 | 2011-03-31 | Andrei Radulescu | Method and system for managing a connection in a connection oriented in-order delivery environment |
US8776207B2 (en) | 2011-02-16 | 2014-07-08 | Fortinet, Inc. | Load balancing in a network with session information |
US8891532B1 (en) * | 2011-05-17 | 2014-11-18 | Hitachi Data Systems Engineering UK Limited | System and method for conveying the reason for TCP reset in machine-readable form |
EP2854357A1 (en) * | 2013-09-30 | 2015-04-01 | Thomson Licensing | Method for connecting a first host and a second host within at least one communication network through a relay module, corresponding relay module |
US20150100622A1 (en) * | 2013-10-04 | 2015-04-09 | Comcast Cable Communications, Llc | Network Device Mediation |
WO2015150975A1 (en) * | 2014-04-02 | 2015-10-08 | Strato Scale Ltd. | Remote asymmetric tcp connection offload over rdma |
US9118582B1 (en) | 2014-12-10 | 2015-08-25 | Iboss, Inc. | Network traffic management using port number redirection |
CN105959228B (en) * | 2016-06-23 | 2020-06-16 | 华为技术有限公司 | Traffic processing method and transparent cache system |
US10419542B2 (en) * | 2017-07-26 | 2019-09-17 | Verizon Patent And Licensing Inc. | Transmission control protocol (TCP) synchronize (SYN) signaling passthrough for TCP proxy servers |
CN113114528A (en) * | 2017-09-22 | 2021-07-13 | 华为技术有限公司 | Communication connection detection method and device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020167960A1 (en) | 2001-02-28 | 2002-11-14 | Garcia-Luna-Aceves Jose J. | System and method for transmission scheduling using network membership information and neighborhood information |
US20030043792A1 (en) | 2001-08-31 | 2003-03-06 | Carpini Walter Joseph | Label switched communication network, a method of conditioning the network and a method of data transmission |
US20030152034A1 (en) * | 2002-02-01 | 2003-08-14 | Microsoft Corporation | Peer-to-peer method of quality of service (Qos) probing and analysis and infrastructure employing same |
US20070283023A1 (en) * | 2006-05-30 | 2007-12-06 | Riverbed Technology, Inc. | Selecting proxies from among autodiscovered proxies |
US7366101B1 (en) | 2003-06-30 | 2008-04-29 | Packeteer, Inc. | Network traffic synchronization mechanism |
US7599283B1 (en) | 2003-06-30 | 2009-10-06 | Packeteer, Inc. | Network traffic synchronization and data compression in redundant network topologies |
-
2009
- 2009-04-30 US US12/433,443 patent/US8032641B2/en not_active Expired - Fee Related
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020167960A1 (en) | 2001-02-28 | 2002-11-14 | Garcia-Luna-Aceves Jose J. | System and method for transmission scheduling using network membership information and neighborhood information |
US20030043792A1 (en) | 2001-08-31 | 2003-03-06 | Carpini Walter Joseph | Label switched communication network, a method of conditioning the network and a method of data transmission |
US20030152034A1 (en) * | 2002-02-01 | 2003-08-14 | Microsoft Corporation | Peer-to-peer method of quality of service (Qos) probing and analysis and infrastructure employing same |
US7366101B1 (en) | 2003-06-30 | 2008-04-29 | Packeteer, Inc. | Network traffic synchronization mechanism |
US7599283B1 (en) | 2003-06-30 | 2009-10-06 | Packeteer, Inc. | Network traffic synchronization and data compression in redundant network topologies |
US20070283023A1 (en) * | 2006-05-30 | 2007-12-06 | Riverbed Technology, Inc. | Selecting proxies from among autodiscovered proxies |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060248194A1 (en) * | 2005-03-18 | 2006-11-02 | Riverbed Technology, Inc. | Connection forwarding |
US20120166661A1 (en) * | 2005-03-18 | 2012-06-28 | Riverbed Technology, Inc. | Connection forwarding |
US8386637B2 (en) * | 2005-03-18 | 2013-02-26 | Riverbed Technology, Inc. | Connection forwarding |
US20110161653A1 (en) * | 2009-12-24 | 2011-06-30 | Keohane Susann M | Logical Partition Media Access Control Impostor Detector |
US9088609B2 (en) * | 2009-12-24 | 2015-07-21 | International Business Machines Corporation | Logical partition media access control impostor detector |
US9491194B2 (en) | 2009-12-24 | 2016-11-08 | International Business Machines Corporation | Logical partition media access control impostor detector |
US20130290544A1 (en) * | 2011-06-15 | 2013-10-31 | Juniper Networks, Inc. | Routing proxy for resource requests and resources |
US9571566B2 (en) | 2011-06-15 | 2017-02-14 | Juniper Networks, Inc. | Terminating connections and selecting target source devices for resource requests |
US9647871B2 (en) * | 2011-06-15 | 2017-05-09 | Juniper Networks, Inc. | Routing proxy for resource requests and resources |
US10009364B2 (en) | 2016-03-25 | 2018-06-26 | Cisco Technology, Inc. | Gathering flow characteristics for anomaly detection systems in presence of asymmetrical routing |
US10757121B2 (en) | 2016-03-25 | 2020-08-25 | Cisco Technology, Inc. | Distributed anomaly detection management |
US11223567B2 (en) | 2019-01-18 | 2022-01-11 | Cisco Technology, Inc. | Transmission control protocol session mobility |
Also Published As
Publication number | Publication date |
---|---|
US20100281168A1 (en) | 2010-11-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8032641B2 (en) | Assymmetric traffic flow detection | |
US10009230B1 (en) | System and method of traffic inspection and stateful connection forwarding among geographically dispersed network appliances organized as clusters | |
US8938553B2 (en) | Cooperative proxy auto-discovery and connection interception through network address translation | |
Bonaventure et al. | Use cases and operational experience with multipath TCP | |
EP3834396B1 (en) | User datagram protocol tunneling in distributed application instances | |
US7318100B2 (en) | Cooperative proxy auto-discovery and connection interception | |
KR101099382B1 (en) | Endpoint address change in a packet network | |
US7924832B2 (en) | Facilitating transition of network operations from IP version 4 to IP version 6 | |
US20080320154A1 (en) | Cooperative proxy auto-discovery and connection interception | |
US11882199B2 (en) | Virtual private network (VPN) whose traffic is intelligently routed | |
US8688844B1 (en) | Establishing network connections between transparent network devices | |
JP2012182845A (en) | Methods and apparatus for network address change for mobile devices | |
US11863655B2 (en) | Method and system for reliable application layer data transmission through unreliable transport layer connections in a network | |
US7564848B2 (en) | Method for the establishing of connections in a communication system | |
US10958625B1 (en) | Methods for secure access to services behind a firewall and devices thereof | |
US8181060B1 (en) | Preventing data corruption with transparent network connections | |
Bhagwat et al. | MSOCKS+: an architecture for transport layer mobility | |
JP3648211B2 (en) | Packet relay program, packet relay device, and recording medium | |
Duchêne | Helping the Internet scale by leveraging path diversity |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: BLUE COAT SYSTEMS, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LI, QING;FREDERICK, RONALD;REEL/FRAME:022622/0881 Effective date: 20090430 |
|
ZAAA | Notice of allowance and fees due |
Free format text: ORIGINAL CODE: NOA |
|
ZAAB | Notice of allowance mailed |
Free format text: ORIGINAL CODE: MN/=. |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: JEFFERIES FINANCE LLC, NEW YORK Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:BLUE COAT SYSTEMS, INC.;REEL/FRAME:027727/0178 Effective date: 20120215 Owner name: JEFFERIES FINANCE LLC, NEW YORK Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:BLUE COAT SYSTEMS, INC.;REEL/FRAME:027727/0144 Effective date: 20120215 |
|
AS | Assignment |
Owner name: BLUE COAT SYSTEMS, INC., CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST IN PATENT COLLATERAL RECORDED AT R/F 027727/0178;ASSIGNOR:JEFFERIES FINANCE LLC, AS COLLATERAL AGENT;REEL/FRAME:029140/0170 Effective date: 20121016 |
|
AS | Assignment |
Owner name: JEFFERIES FINANCE LLC, AS COLLATERAL AGENT, NEW YO Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:BLUE COAT SYSTEMS, INC.;REEL/FRAME:030740/0181 Effective date: 20130628 |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
AS | Assignment |
Owner name: JEFFERIES FINANCE LLC, AS THE COLLATERAL AGENT, NE Free format text: SECURITY INTEREST;ASSIGNOR:BLUE COAT SYSTEMS, INC.;REEL/FRAME:035751/0348 Effective date: 20150522 |
|
AS | Assignment |
Owner name: BLUE COAT SYSTEMS, INC., CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST IN PATENT COLLATERAL AT REEL/FRAME NO. 30740/0181;ASSIGNOR:JEFFERIES FINANCE LLC;REEL/FRAME:035797/0280 Effective date: 20150522 Owner name: BLUE COAT SYSTEMS, INC., CALIFORNIA Free format text: RELEASE OF SECURITY INTEREST IN PATENT COLLATERAL AT REEL/FRAME NO. 27727/0144;ASSIGNOR:JEFFERIES FINANCE LLC;REEL/FRAME:035798/0006 Effective date: 20150522 |
|
AS | Assignment |
Owner name: BLUE COAT SYSTEMS, INC., CALIFORNIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:JEFFERIES FINANCE LLC;REEL/FRAME:039516/0929 Effective date: 20160801 |
|
AS | Assignment |
Owner name: SYMANTEC CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BLUE COAT SYSTEMS, INC.;REEL/FRAME:039851/0044 Effective date: 20160801 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |
|
AS | Assignment |
Owner name: CA, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SYMANTEC CORPORATION;REEL/FRAME:051144/0918 Effective date: 20191104 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20231004 |